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METHOD AND SYSTEM FOR SUMMARY OF THE INVENTION 

DYNAMICALLY DISTRIBUTING UPDATES The present invention provides a method and system for 

IN A NETWORK dynamically distributing intrusion detection and other types 

of updates in a network that substantially eliminate or reduce 

5 disadvantages and problems associated with prior methods 
and systems. In particular, the present invention automati- 

This invention relates generally to computer networking, cally downloads updates from a remote site in response to a 

and more particularly to a method and system for dynami- timed event. 

cally distributing updates in a network. In accordance with one embodiment of the present 

BACKGROUND OF THE INVENTION 10 mvention > a ^ version of a program operating at a network 

bACKUKUUNU Vt 1 Hb in VfciN 1 IUN site ^ updated by automaticaU y downloading from a remote 

Computer networks have become an increasingly impor- s it e any update for the program in response to an automated 

tant means for communicating public and private informa- event. A downloaded update is installed to generate a second 

tion between and within distributed locations. The Internet is version of the program. The second version of the program 

one example of a public network commonly used for com- 15 is operated at the network site in place of the first version. 

municating public and private information. Internet web More particularly, in accordance with a particular 

servers provide access to public information, such as news, embodiment of the present invention, the automated event is 

business information, and government information, which a timed event. In this embodiment, the first version of the 

the Internet makes readily available around the world. The program is aged and the timed event is the first version 

Internet is also becoming a popular forum for business 20 reaching a specified age. The specified age may be 24 hours 

transactions, including securities transactions and sales of 0 r other suitable age. In other embodiments, the timed event 

goods and services. A large number of people have come to may be a specified time such that any updates are automati- 

depend upon reliable Internet access and secure communi- cally downloaded once a day, once a week, or at other 

cations on a day-by-day and even second-by-second basis. suitable frequency. 

Like the Internet, private networks also have become com- 25 installation of a downloaded update, it may be 

mon means for communicating important information. Pri- determined whether the second version of the program is 

vate networks, such as company intranets, local area net- operating correctly. In response to incorrect operation of the 

works (LANs), and wide area networks (WANs) generally second version, the first version of the program may be 

limit access on a user-by-user basis and communicate data restored for operation at the network site. In response to 

over dedicated lines or by controlling access through 30 correct operation of the second version, the downloaded 

passwords, encryption, or other security measures. update may be distributed to disparate network sites oper- 

One danger to reliable and secure network communica- a ting the first version of the program. There, the downloaded 

tions is posed by hackers or other unauthorized users dis- update may be installed to generate the second version of the 

rupting or interfering with network resources. The danger program at the disparate network sites. The second version 

posed by unauthorized access to computer network 35 of the program is operated in the place of the first version at 

resources can vary from simple embarrassment to substan- the disparate network sites. 

tial financial losses. For example, serious financial disrup- Technical advantages of the present invention include 

tions occur when hackers obtain financial account informa- providing an improved method and system for distributing 

tion or credit card information and use that information to updates in a network. In particular, programs are automati- 

misappropriate funds. 40 cally updated by downloading and distributing an update in 

Typically, network administrators use various levels of response to an automated event, such as a timed event. As a 

security measures to protect the network against unautho- result, systems with a common program separately running 

rized use. Intrusion detection systems are commonly used to a t several sites may update each site with no or minimal 

detect and identify unauthorized use of a computer network operator interaction. In addition, updates may be automatic 

before the network resources and information are substan- 45 or with minimal operator interaction rolled back at each site 

tially disrupted or violated. In general, intrusion detection m a system in response to an upgrade problem, 
systems look for specific patterns in network traffic, known Additional technical advantages of the present invention 

as intrusion signatures to detect malicious activity. Conven- indudo providing an improved intrusion detection system, 

tional intrusion detection systems often use finite state In p art i C ular, ea ch intrusion detection sensor may automati- 

machines, simple pattern matching, or specialized algo- 50 ca n y connect to a remote site and download new intrusion 

rithms to identify intrusion signatures in network traffic. detection signatures. Each sensor may also distribute the 

Detected intrusion signatures are reported to network admin- aew s i gnat ures to related sensors within a system, 

istration. Accordingly, network vulnerability due to new types of 

A problem with conventional intrusion detection systems attacks is reduced. In addition, an intrusion detection service 

is that when a new vulnerability, or type of attack on the 55 provider may update all of its customers by simply provid- 

network, is discovered, a new intrusion signature must be mg new signatures on a website from which each customer's 

generated and installed for each intrusion detection system. system will automatically connect to and download the new 

As a result, unless a network administrator frequently signatures in accordance with a specified frequency, 

checks for new signatures developed by an intrusion detec- Accordingly, the costs of providing intrusion detection ser- 

tion provider and installs the new signatures for each sensor 60 vices are reduced. 

in his or her system, the system will remain vulnerable to the 0ther technical advantages will be readily apparent to one 

new types of attack. Because new types of attacks appear skilled m the m for me following figures, description, and 

more frequently than network administrators typically check claims, 
with an intrusion detection provider for new signatures, 

networks often remain vulnerable to new types of attacks 65 BRIEF DESCRIPTION OF THE DRAWINGS 
even though new signatures are available to identify and For a more complete understanding of the present inven- 

prevent such attacks. tion and its advantages, reference is now made to the 
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following description taken in conjunction with the accom- below, the update 32 is downloaded by customers over the 

panying drawings, wherein like reference numerals repre- Internet 22 and the new signatures added to the intrusion 

sent like parts, in which: signatures 28 residing on the host 24. In this way, the 

RG. 1 is a block diagram illustrating a system for intrusion detection sensors 26 are kept up-to-date and able to 

dynamically distributing intrusion detection signatures in 5 detect and report new types of network and/or host based 



accordance with one embodiment of the present invention; 



attacks. 

- . „ .„ . . FIG. 2 is a flow diagram illustrating a computer method 

FIG. 2 is a flow diagram illustrating a computer method for dynamical i y distributing intrusion detection updates over 

for dynamically distributing intrusion detection signatures in ^ Intemet 22 or other suitable network. It will be under- 

the network of FIG. 1; and ^ stood tnat omer types of updates for other types of applica- 

FIG. 3 is a flow diagram illustrating a computer method tions may be similarly distributed over the Internet 22 or 

for recovering from a problematic update in accordance with other suitable network without departing from the scope of 

one embodiment of the present invention. the present invention. 

Referring to FIG. 2, the method begins at step 50 in which 

DETAILED DESCRIPTION OF THE a specified event is received. The specified event may be an 

INVENTION automated event or a user initiated event. The automated 

event may be any event generated by the sensor or other 
FIG. 1 is a block diagram illustrating a system 10 for software or hardware in accordance with predefined instruc- 
dynamically distributing updates in a network. In this tions or logical set of such events. In one embodiment, the 
embodiment, new intrusion signatures are distributed to automated event is a timed event that is directly or indirectly 
remote intrusion detection sensors. The sensors use the 20 based upon the reaching or passing of a specified time. For 
intrusion signatures to detect and report unauthorized entry. this embodiment, the intrusion detection sensors 26 may 
It will be understood that the present invention may be used automatically age the intrusion signatures 28 after each 
to distribute other suitable types of updates to intrusion update to allow the intrusion detection sensors 26 to auto- 
detection and other suitable types of applications within a matically determine when the intrusion signatures 28 may be 
network. 25 in need of updating. In this embodiment, an update event is 
Referring to FIG. 1, the system 10 includes a private generated in response to the intrusion signatures 28 reaching 
network 12 and a public network 14. For the embodiment of a ft? 1 " . ™f. f c * f'^ bouls ° r ^ 
FIG. 1, the private network is an Intranet 20 and the public ^ ,abl ° " m * W ' U &U T he ." ltrusl0n sl S na ures 

network is an Internet 22. It will be understood that the 2 * l ° be <|P dated at a ^"f^ ^ mm ™ ,Z6 V^f" 

. , . , , t . , + A ... •* ui 30 ability of the private network 12 to new types or attacks. An 

private and public networks 12 and 14 may be other suitable ■ >u / . . . A ./ r , 4 . it 

t es of networks event or action is in response to a specified event when the 

^ occurrence of the specified event directly or indirectly 

The Intranet 20 includes a network interconnecting a at kast m partj thc respondmg eV ent or action, 

plurality of hosts 24. The network is a local area network other cvents may also be nccessary t0 trigger the 

(LAN), a wide area network (WAN), or other suitable type 35 resp onding event or action, or intervene between the speci- 

of link capable of communicating data between the hosts 24. fied cvent and the rcspondiDg cvent 0 r action. The update 

For the local area network embodiment, the network may be event may be othcr suitaWe types of timcd events such ^ 

an Ethernet. £ or examp ] e> a specified or scheduled time of day, week, or 

The hosts 24 are each a computer such as a personal the like, 

computer, file server, workstation, minicomputer, main- 40 In a particular embodiment, a user may select a number of 

frame or any general purpose or other computer or device sensors to be subordinate to a primary intrusion detection 

capable of communicating with other computers or devices sensor or set of primary sensors. In this embodiment, only 

over a network. The hosts 24 operating on the border the primary sensors are responsible for generating the update 

between the Intranet 20 and Internet 22 each include an eve nt and only their intrusion signatures 28 are aged, 

intrusion detection sensor 26 for detecting and reporting 4S Alternatively, each intrusion detection sensor 26 may inde- 

unauthorized entry. As used herein, each means each of at pendently age its own intrusion signatures 28 and generate 

least a subset of the identified items. the update event in response to its intrusion signatures 28 

The intrusion detection sensors 26 each include a com- reaching the specified age. In this embodiment, no one 

mon set of intrusion signatures 28. The intrusion signatures intrusion section sensor 26 or limited set of sensors is solely 

28 comprise patterns of network activity that denote or 50 relied upon to initiate updating. 

indicate unauthorized access or other harmful activity Proceeding to step 52, the intrusion detection sensor 26 

capable of damaging the host 24 or other aspect of the generating the update event automatically connects to the 

private network 12. Generally described, the intrusion detec- sensor update server 30 over the Internet 22. At decisional 

tion sensors 26 detect such unauthorized access or attacks step 54, the intrusion detection sensor 26 automatically 

upon the host 24 by matching network traffic to the intrusion 55 determines whether the sensor update server 30 includes an 

signatures 28. update 32 for the intrusion signatures 28. In one 

The Intemet 22 includes a sensor update server 30. The embodiment, the intrusion detection sensor 26 may compare 

sensor update server 30 may be virtually any type of a time stamp of its last update to that of a current file on the 

computer capable of storing intrusion updates 32 and com- sensor update server 30. In this embodiment, the current file 

municating with other computers or devices over the Inter- 60 is an update 32 if the time stamp for the file is later than that 

net 22. The intrusion update 32 includes new intrusion for the last update for the intrusion detection sensor 26, If an 

signatures generated by an intrusion detection service pro- update 32 is not available, then the current set of intrusion 

vider in response to new types of attacks. The intrusion signatures 28 are up-to-date and the No branch of decisional 

detection service provider generates the new signatures and step 54 leads to the end of the process. Accordingly, the 

provides them as the update 32 on a web page at the sensor 65 intrusion signatures 28 are updated only when needed, 

update server 30 to allow customers to access the new However, if an update 32 is available on the sensor update 

signatures over the Internet 22. As described in more detail server 30, the Yes branch of decision step 54 leads to step 56. 
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At step 56, the intrusion detection sensor 26 automatically receiving an authentic update 32 to generate an updated set 

downloads the update 32. Preferably, the update 32 is of intrusion signatures 28. Accordingly, all intrusion detec- 

downloaded in an encrypted format to prevent tampering tion sensors 26 in the private network 12 are automatically 

and decrypted at the host 24. In addition, the update 32 may updated to protect all avenues of access to the private 

be protected by VPN, sequence numbering, other suitable 5 network 12 from the new types of attacks, 

form of secure communication, or a combination of forms Proceeding to decisional step 74, each of the second stage 

Next, at decisional step 58, the mtnision detection sensor 26 scDsors ^ tf ^ 

automatically authenticates the update 32. In one . . ., , . , , « r ~ J * 

... . f. , , . , ,. \ i, a „.„•„„ .t,,, ing correctly with the installed update 32. If a second stage 

embodiment, the update 32 is authenticated by ensuring that . , ' . * .i 

*u a ♦ • p w tu» ~^n^rr „f ;r,t„, c ™ c ™*H.r.T c 9*1 intrusion detection sensor 26 is not operating correctly, the 

the update is for the existing set or intrusion signatures 28. in , , r , . . . _ . , , \ t At / 

If the update 32 is not authentic, then it should not be 10 No branch of decisional step 74 leads to step 76. At s ep 76, 

installed and the No branch of decisional step 58 leads to the KC ™V P~~ " '"f for ^ . deteCh , on 

j ^ « A j • i j * m .u * * u« sensor 26 and the update 32 is umnstalled. In this way, it is 

end of the process. Accordingly, an update 32 that cannot be , . , , . . . , / ' .. 

authenticated is not installed However, if the update 32 is 6nsured e f, cb of flection 

authentic, the Yes branch of decisional step 58 leads to step „ S6nso ' s 26 ™ U « c °°diUon. For each 

^0 15 second stage intrusion detection sensor 26 operating cor- 

* A . . . , . t t . „ rectly with the installed update 32, the Yes branch of 

• At«eP M ,ltaiiitr^ decisional step 74 leads to the end of the process, 

installs the update 32 to add the new signatures to he Accordin , £ intruaioo detection sensors 26 for the pri- 

preexistuig intrusion s.gnatures 28. Next at deosional step yate ne(work ^ haye ^ automaticall daled . jfe^ 

62 the intrusion detection sensor 26 automattcally deter- 20 usef interactioQ ^ ^ det6ctioo 

mines if it is operating correctly with the installed update by ^ 2fi be fr ^ ^ effic d tQ 

companng its operation to specified parameters, hmits and ^ ^ ^ ^ ^ ^ (0 ncw 

the like. If the intrusion detection sensor 26 is not operating t ^ ^ 

correctly, then the No branch of decisional step 62 leads to . / 

step 64 where recovery processing is automatically initiated „ 11 wlU be understood that the intrusion sensors 26 may be 

and the update 32 is uninstaller Accordingly, the intrusion otherwise suitably updated without departing from the scope 

detection sensor 26 is returned to its previous state and the of * e P resent invention. For example, although the method 

private network 12 is not left vulnerable by an incorrectly was described with the intrusion detection sensor 26 per- 

operating intrusion detection sensor 26. However, if the formin g the specified actions, it will be understood that 

update intrusion sensor 26 is operating correctly, the Yes , 0 another application in or remotely from the hosts 24 may 

branch of decisional step 62 leads to step 66. carrv out the gating functionality identified for the intru- 

At step 66, the intrusion detection sensor 26 automatically S10n detectlon sensor 26 * 
broadcasts an update message over the Intranet 20. The FIG - 3 illustrates a computer method for recovery pro- 
update message informs the other intrusion detection sensors cessing in accordance with one embodiment of the present 
26 of the availability of the update 32. Next, at step 68, the 35 invention. Referring to FIG. 3, the method begins at step 90 
update 32 is automatically transmitted to the intrusion m whlch a recovery event is received. The recovery event 
detection sensors 26 that responded to the update message. ma y be initiated by an intrusion detection sensor 26 in 
In one embodiment, the update message identifies the update response to incorrect operation of the intrusion detection 
and intrusion detection sensors 26 not having that update sensor 26 - ^ recovery event may also be independently 
respond to request the update 32. The update 32 may be 40 mitiated b y an operator to umnstall the update 32. 
transmitted over the Intranet 20 in an encrypted format and Proceeding to step 92, the update 32 is uninstalled from 
a secure form and decrypted by each of the second stage a first intrusion detection sensor 26. The first intrusion 
intrusion detection sensors 26 as previously described for detection sensor 26 may be the first sensor 26 on which the 
the first stage intrusion detection sensor 26 that originally update 32 was initially installed or another intrusion detec- 
received the update 32. If a sensor hierarchy is used, 45 tion sensor 26 detecting incorrect operations or receiving a 
relationships between primary and secondary sensors may user command to initiate recovery processing. Uninstalling 
be predefined with the primary sensors each sending updates the update 32 returns the first intrusion detection sensor 26 
32 to their respective secondary sensors. In addition, the to its previous state. 

relationship may be recursive with secondary sensors having Next, at step 94, the first intrusion detection sensor 26 

their own children. 50 transmits a recovery message to the remaining intrusion 

Proceeding to decisional step 70, each of the second stage detection sensors 26 in the private network 12 on which the 

intrusion detection sensors 26 authenticates the update 32 as update 32 was installed. Next, at step 96, each of the 

previously described in connection with the first stage remaining intrusion detection sensors 26 uninstalls the 

intrusion detection sensor 26, If the update 32 cannot be update 32 in response to the recovery message. Accordingly, 

authenticated by a second stage intrusion detection sensor 55 each intrusion detection sensor 26 in the private network 12 

26, the No branch of decisional step 70 returns to step 68 for is returned to its previous state in response to a single 

that second stage intrusion detection sensor 26 where the recovery event. In this way, integrity of the private network 

update 32 is retransmitted to the intrusion detection sensor 12 and the intrusion detection system for the private network 

26. Alternatively, or in response to several unsuccessful 12 is maintained with each of the intrusion detection sensors 

attempts to transmit an authentic update 32 to a second 60 26 in a same state. Step 96 leads to the end of the process 

stage, the No branch of decisional step 70 may lead to the by which each of the intrusion detection sensors 26 have 

end of the process where the update 32 is not installed for been returned to a same recovery state, 

that intrusion detection sensor 26. After an authentic update Although the present invention has been described with 

32 is received by a second stage intrusion detection sensor several embodiments, various changes and modifications 

26, the Yes branch of decisional step 70 leads to step 72. 65 may be suggested to one skilled in the art. It is intended that 

At step 72, the update 32 is automatically installed for the present invention encompass such changes and modifi- 

each of the second stage intrusion detection sensors 26 cations as fall within the scope of the appended claims. 
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What is claimed is: 

1. A method for updating a first version of a program 
operating at a network site, comprising: 

in response to an automated event, automatically down- 
loading from a remote site any update for the program; 5 

automatically installing a downloaded update to generate 
a second version of the program; 

after installation of the downloaded update, automatically 
determining whether the second version of the program 
is operating correctly; 

in response to correct operation of the second version, 
operating the second version of the program in place of 
the first version at the network site; and 

in response to incorrect operation of the second version, 15 
automatically restoring the first version of the program 
for operation at the network site. 

2. A method for updating a first version of a program 
operating at a network site, comprising: 

in response to an automated event, automatically down- 20 

loading from a remote site any update for the program; 
installing a downloaded update to generate a second 

version of the program; and 
operating the second version of the program in place of 25 

the first version at the network site; 
automatically distributing the downloaded update to a 

disparate network site operating the first version of the 

program; 

automatically installing the downloaded update to gener- 30 
ate the second version of the program at the disparate 
network site; and 

automatically operating the second version of the program 
in place of the first version at the disparate network site. 

3. A method for updating a first version of a program 35 
operating at a network site, comprising: 

in response to an automated event, automatically down- 
loading from a remote site any update for the program; 

installing a downloaded update to generate a second ^ 
version of the program; 

after installation of the downloaded update, automatically 
determining whether the second version of the program 
is operating correctly at the network site; 

in response to incorrect operation of the second version, 45 
automatically restoring the first version of the program 
for operation at the network site; and 

in response to correct operation of the second version at 
the network site: 

automatically distributing the downloaded update to a 50 
disparate network site operating the first version of 
the program; 

automatically installing the downloaded update to gen- 
erate the second version of the program at the 
disparate network site; and 55 

automatically operating the second version of the pro- 
gram in place of the first version at the disparate 
network site. 
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4. A method for updating a first version of a program 
operating at a network site, comprising: 

in response to an automated event, automatically down- 
loading from a remote site any update for the program; 

automatically installing a downloaded update to generate 
a second version of the program; and 

operating the second version of the program in place of 
the first version at the network site; 

broadcasting over a network an update message; 

receiving in response to the update message a request for 
the downloaded update from each of a plurality of 
disparate network sites operating the first version of the 
program; 

automatically distributing the downloaded update to the 
disparate network sites requesting the downloaded 
update; 

automatically installing the downloaded update to gener- 
ate the second version of the program at each of the 
disparate network sites; and 

automatically operating the second version of the program 
in place of the first version at each of the disparate 
network sites. 

5. The method of claim 4, further comprising: 
receiving a recovery event at one of the network sites; 
automatically restoring the first version of the program at 

the network site at which the recovery event was 
received; 

broadcasting a recovery message from the network site 

over the network; and 
automatically restoring the first version of the program at 

each of the remaining network sites operating the 

second version of the program. 

6. The method of claim 5 wherein the recovery event 
occurs in response to incorrect operation of the second 
version of the program. 

7. An intrusion detection system, comprising: 

a private network including a plurality of sites connected 
to a public network, each site including an intrusion 
detection sensor operating with a first set of intrusion 
detection signatures; and 

each of the intrusion detection sensors operable to auto- 
matically download from a remote site any update for 
the intrusion detection signatures in response to a 
specified event, to automatically install a downloaded 
update to generate a second set of intrusion detection 
signatures, to operate with the second set of intrusion 
detection signatures, and to automatically distribute the 
downloaded update to the remaining intrusion detec- 
tion sensors for installation. 

8. The system of claim 7, wherein the specified event is 
an automated event. 

9. The system of claim 8, wherein the automated event is 
a timed event. 

***** 
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